batcave: renew proxy letsencrypt certs weekly

We occasionally run into problems with certs that aren't renewed in time or are close to expiring. Just running the proxies playbook will renew them, but in freezes or the like sometimes there's a long time period where we don't run that playbook. So, lets just run weekly with the right tag. This should renew any cert thats close to expiring. The job shouldn't normally output anything, but if there's errors it will email them to admin@ Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2024-03-27 17:27:13 -07:00 · 2024-03-27 17:27:13 -07:00 · c5f2475537
parent 5310a60518
commit c5f2475537
2 changed files with 19 additions and 0 deletions
--- a/roles/batcave/files/proxy-certs-check-renew.cron
+++ b/roles/batcave/files/proxy-certs-check-renew.cron
@ -0,0 +1,8 @@
+#!/bin/bash
+mailto='admin@fedoraproject.org'
+source /root/sshagent >>/dev/null
+export ANSIBLE_HOST_KEY_CHECKING=False
+export HOME=/root/
+#export ANSIBLE_SSH_PIPELINING=False
+export ANSIBLE_HASH_BEHAVIOUR=merge
+timeout 24h ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t letsencrypt -f 20 |& grep fatal
--- a/roles/batcave/tasks/main.yml
+++ b/roles/batcave/tasks/main.yml
@ -258,6 +258,17 @@
  - config
  when: inventory_hostname.startswith('batcave01')

+#
+# Setup job that runs letsencrypt on proxies each week
+#
+
+- name: setup letsencrypt run for proxies
+  copy: src=proxy-certs-check-renew.cron dest=/etc/cron.weekly/proxy-certs-check-renew.cron mode=0755
+  tags:
+  - batcave
+  - config
+  when: inventory_hostname.startswith('batcave01')
+
 #
 # Setup rhel6 sync script.
 #